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© An automated transaction system employs 
microprocessor-bearing user cards each issued to a 
respective user for maintainig a history of user ac- 
count transactions and a user account balance, 
microprocessor-bearing master cards issued to ven- 
dors for maintaining a history of master account 
transactions and a master account balance, and ter- 
minals in which a user card and a master card are 
inserted for performing account transfer transactions 
wherein value from the account balance of one card 
is debited and the account balance of the other card 
is correspondingly credited. A transaction history 
recorder is used to produce or record the transaction 
history stored in the card for the user of the vendor. 
In the preferred embodiment, each master card is 
assigned to a respective terminal of a vendor and 
maintains a history of the transactions executed at 
that terminal between the master card and user 
cards presented for transactions at the terminal. 
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FIELD OF INVENTION 

The invention relates to an automated transac- 
tion system which receives with a user card having 
a microprocessor for executing secure transactions 
in which an article or item of value is dispensed 
from a terminal, and an account balance stored in 
the card's memory is debited. In particular, the 
invention is applied to a postage transaction sys- 
tem in which a postage account is maintained 
within the microprocessor card and is used in 
transactions with postage printing and metering ter- 
minals. 

BACKGROUND OF_ INVENTION 

Point-of-sale (POS) terminals and automated 
teller machines (ATM) have been widely used in 
conjunction with various types of cards issued to 
users for sale or credit transactions. For example, 
banks regularly issue account cards which have a 
magnetically coded number stored on a stripe for 
accessing the user's account through ATM termi- 
nals. Credit cards which have coded magnetic 
stripes are inserted in ATM or POS terminals to 
access a central account system for authorization 
of a credit transaction. There also have been pro- 
posals to use cards which have large non-volatile 
memories, e.g. magnetic, integrated circuit (IC), or 
optical memory storage, for storing and retrieving 
information specific to the user, such as a medical 
history, biographical history, maintenance of an ac- 
count balance and transaction history, etc. 

These conventional systems generally employ 
a card which has a passive memory that is read in 
a card reader or computerized terminal maintained 
by a vendor. The security of the cards is problem- 
atic since most account cards used conventionally 
are passive and do not authenticate themselves or 
the particular transactions for which they are used. 
Instead, on-line access through a terminal to a 
central account system, such as bank or credit 
card account records, is required for confirmation 
of each transaction. This requirement places an 
access time and cost burden on vendors, such as 
bank branches and retail stores, which must main- 
tain the terminal facilities, as well as on the oper- 
ator of the central account system, which must 
provide sufficient on-line access for all the users of 
the system and ensure the security of the entire 
system. 

By comparison, off-line transactions, i.e. be- 
tween a user with an authorized card and a termi- 
nal not connected to a central account system, 
have the advantage that the vendor does not have 
to confirm each transaction. A card bearer merely 
inserts the card in a terminal to pay for a purchase 
and the authorized amount of the card is debited 



for the amount of the transaction. In off-line trans- 
actions, the vendor's responsibility can be reduced 
and the transaction process simplified, so that a 
transaction can be completely automated through 

s the use of widely distributed user cards and auto- 
mated terminals. 

However, off-line transactions are more vulner- 
able to the use of counterfeit cards and to tamper- 
ing with the terminals. Thus, the cards have to be 

10 made secure and the transactions limited to small 
amounts. As an example of conventional card se- 
curity measures, a memory card can be divided 
into a number of separately validatable sectors of 
limited value which are irreversibly debited with 

75 each transaction, as disclosed in U.S Patents 
4,204,113 and 4,256,955 to Giraud et al. A persona! 
identification number (PIN) can be written into the 
card's memory at the time of issuance and re- 
quested of the user with each transaction. Termi- 

20 nals are generally made secure by maintaining 
them in areas to which access is restricted or 
supervised. However, these requirements increase 
the cost of operating the system and at the same 
time decrease its utility. 

25 The sophistication of card counterfeiting and 
credit fraud has increased with the widespread use 
of account and credit cards, and even greater se- 
curity measures are currently needed to ensure the 
validity of card transactions. Conventional micro- 

30 processor cards employ resident programs to con- 
trol access to data stored on the card, store a 
selected user PIN to confirm an auhorized user, 
and prevent use of the card if an unauthorized user 
is detected, such as after a limited number of 

3$ incorrect PIN entries. Although such microproces- 
sor cards provide greater security than passive 
cards, the overall system is still vulnerable in that, 
once a valid user's PIN has been ascertained, a 
stolen card can be used for unauthorized transac- 

40 tions in any terminal, and the terminals themselves 
are subject to penetration. These vulnerabilities can 
be offset by limiting the authorized amount of the 
card, controlling access to the terminals, or requir- 
ing on-line confirmation of transactions. However, 

45 such measures again increase the cost of the sys- 
tem and decrease its utility. 

One potential area of application of automated 
systems employing account or credit cards is in 
postage vending and metering machines. Pur- 

5o chases of postage and mailing transactions are 
made primarily in person with cash through tellers 
at post offices. Only limited types of postage 
stamps can be purchased from public vending ma- 
chines. Most private postage metering machines 

55 have limited operational features and must have 
their metering devices removed periodically to a 
post office for refilling. The size and weight of the 
metering devices make them inconvenient to carry. 
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Some metering systems can be refilled by a re- 
mote computer, but the caller must still phone the 
computer center and execute the operator's 
instructions on the postage meter manually. 

The elimination of cash purchases, in-person 
mailing transactions, unnecessary limitations on 
automated postal services, and physical refilling of 
postage metering machines could greatly reduce 
the waiting lines at post offices and facilitate the 
wider dissemination of postage vending and meter- 
ing machines for the convenience of users and 
provide greater access to postal services. The use 
of account or credit cards for automated postal 
machines has been considered. However, the se- 
curity problems of conventional card automated 
systems would require that user cards be validated 
only for relatively small amounts of prepaid post- 
age, that vending and metering machines provide 
limited postal products and be refilled with limited 
total postage amounts, and that access to the ma- 
chines be strictly controlled. These restrictions are 
a substantial obstacle which contribute to the dif- 
ficulty of implementing an automated postal trans- 
action system. 

SUMMARY OF JNVENTION 

In view of the foregoing disadvantages and 
problems of conventional systems, it is a primary 
purpose of the invention to provide an automated 
transaction system which has security features that 
will facilitate the widespread use of account or 
credit cards for off-line transactions and the dis- 
semination of automated transaction terminals to 
which access does not have to be strictly con- 
trolled. A principal object of the invention is to 
provide an interactive card/terminal system in 
which the card and the terminal each have a secu- 
rity feature which prevents the completion of a 
requested transaction unless a secure handshake 
recognition procedure is mutually executed be- 
tween the card and the terminal such that they 
each recognize the other as authorized to execute 
a transaction. In particular, it is desired that the 
card and the terminal cooperate together to ex- 
ecute a simultaneous dispensing of value by the 
terminal and debiting of an authorized balance by 
the card. 

A specific object of the invention is to apply 
the above-mentioned automated transaction system 
to postage metering machines. A further object is 
to provide a new generation of card automated 
postal terminals which have greater flexibility in the 
range of postal products and services offered, 
wherein the terminals are individually secure and 
can be accessed in relatively unrestricted areas, 
and the cards can be refilled at any desired loca- 
tion through secure refilling terminals validated by 



the issuer. 

In accordance with the purposes and objects of 
the invention, a card automated transaction system 
employs a card having a secure, resident micropro- 
s cessor which operates to confirm that a requested 
transaction is authorized and to then initiate an 
interactive handshake recognition procedure with a 
resident microprocessor in the value dispensing 
section of an automated terminal. Upon successful 
w completion of the handshake procedure, the card 
microprocessor and the dispensing section micro- 
processor simultaneously actuate the dispensing of 
the requested article or item of value and the 
debiting of an authorized balance from the card. 
75 A particular embodiment of the invention is a 

mutual handshake recognition procedure executed 
as follows: (1) upon confirming that a requested 
transaction is authorized, the card passes to the 
terminal a word comprising a randomly generated 
20 or other object number encrypted by a first resi- 
dent algorithm and a key number stored in the 
card; (2) the terminal decodes the number using a 
corresponding inverse of the first algorithm and the 
key number; (3) the terminal sends back to the 
25 card a second word comprising the decoded ran- 
dom number encrypted by a second resident al- 
gorithm and the key number; (4) the card decodes 
the second word using a corresponding inverse of 
the second algorithm and the key number and 
30 compares the decoded number to the one original- 
ly sent; (5) if the numbers match, the card micro- 
processor debits its authorized balance for the in- 
dicated amount of the transaction and sends an 
actuation signal to the terminal to proceed with the 
35 transaction; and (6) upon receipt of the actuation 
signal, the dispensing microprocessor actuates the 
dispensing section to complete the transaction. The 
transmitted actuation signal may also be encrypted 
and decoded by the above algorithms or a similar 
40 method. 

Under the principles of the invention, the 
above-described interactive card automated trans- 
action system is applied to postage metering ma- 
chines. In one embodiment, a postage metering 
45 terminal has a slot for receiving a microprocessor 
card issued with an authorized balance, a print 
head with a secure microprocessor which interacts 
with the card microprocessor, a keypad, a display, 
and an operations microprocessor which accepts a 
50 keyed input of the postage amount requested, dis- 
plays the keyed input, queries the card to authorize 
and initiate the postage printing transaction, and 
then resets the machine for the next transaction or 
executes a series of transactions in a repeat mode. 
55 In a related embodiment, a postage metering 

terminal has a first slot for receiving a user micro- 
processor card, a second slot for receiving a postal 
rate card, a print head with a secure microproces- 
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sor, a keypad and other means for entering source 
and destination (postal zip) codes, means for enter- 
ing the weight and postal class of the article to be 
mailed, and an operations microprocessor having a 
program for calculating the correct postage based 
upon the listings of the rate card and the keyed-in 
information. 

The card automated postal transaction system 
can be readily applied not only to the postal pro- 
ducts and services of the U.S. Postal Service, but 
also to private carriers and parcel delivery com- 
panies. In a further embodiment, a postal waybill 
terminal has a third slot for receiving a special 
services card which has stored data from which the 
terminal can print postal and delivery services in- 
formation on standard form blanks. For example, 
the special services card can be used to print Post 
Office forms, such as Certified Mail or Registered 
Mail, or the waybills of private carrier companies. 
The terminal is also provided with a full field dis- 
play of the waybill form, prompts the user for 
information by programmed cursor movements, 
and has command keys for inputting sender and 
addressee information, rate or service class, waybill 
number, carrier information, etc. 

As subsidiary features, the microprocessor 
cards can be configured to provide different types 
of access to the terminals as desired, for example, 
limited numbers or types of users in limited num- 
bers or types of machines, unlimited users in limit- 
ed machines, limited users in unlimited machines, 
or unlimited users in unlimited machines. The dif- 
ferent types of access can be implemented by 
storing key numbers in the card for identifying 
authorized users and/or machines, and/or key num- 
bers in the terminal operations microprocessor for 
identifying authorized users. The user cards can 
also be configured at the time of issuance for limits 
to the amounts and types of individual transactions, 
and temporary or permanent locking upon detec- 
tion of an unauthorized user or card. Another sys- 
tem feature is the storing of a history of transac- 
tions executed by the card, and the recomputing of 
the remaining balance upon each transaction re- 
quest, in order to save card memory space. A 
separate transaction printer may be used to obtain 
a printout of the card's transaction history. 

The postage metering terminals according to 
the invention are also provided with means for 
allowing a post office or carrier to authenticate the 
postage marks or waybills that are printed. In one 
embodiment, the terminal printer prints within or 
under the postmark a coded number or sequence 
of marks corresponding to an element of the post- 
mark, such as the amount of postage, the terminal 
identification number, and/or the sender's zip code. 
The marks may be disguised or made invisible by 
printing with a magnetically or optically readable 



ink to deter tampering or unauthorized simulation. 
They may then be machine-read by the post office 
or private carrier company to determine whether 
the printed postmark was printed by an authorized 
s printer, and at the same time provide an audit trail 
to the sender. 

In accordance with a further application of the 
invention, an integrated system of microprocessor 
cards and terminals provides transaction facilities 
w which permit widespread use and convenient ac- 
cess to users. The authorized amount of the user 
card may be initially validated or refilled from a 
master refilling card, which has a larger authorized 
amount, preferably in conjunction with a supervisor 
75 card issued under strict distribution control. A refill- 
ing terminal is provided with three insertion slots 
for the three cards, and has an operations program 
to check the identity of the master refilling card 
and the user card to determine if they are valid for 
20 use in the refilling terminal. Upon clearance, the 
secure handshake recognition procedure must be 
successfully executed between the microproces- 
sors of the supervisor and master cards in order to 
permit a debit to the master card of the refill 
25 amount and a credit to the user card. If the user 
card is a new card, a validation procedure and the 
selection and storing of a user PIN are executed. 

The card automated transaction system of the 
invention has broad applicability to many other 
30 types of purchase or credit transactions besides 
postal services and products. For example, it can 
also be used for credit card transactions, inventory 
control, bills of lading, automated cash machines, 
or virtually any other type of transaction in which a 
35 user account must be securely debited through an 
automated terminal in exchange for an article or 
item of value. The invention is especially advanta- 
geous in off-line transactions in which distributed 
terminals not under strict access controls are used. 
40 The above principles, advantages, and features of 
the invention are described in further detail below 
in conjunction with the following drawings. 

BRIEF_ DESCRIPTION OF DRAWINGS 

45 

Fig. 1 illustrates schematically a preferred em- 
bodiment of an automated postal transaction ter- 
minal using a microprocessor card in accor- 
dance with the invention; 

so Fig. 2a shows a structure in the embodiment of 
Fig. 1 for executing a secure handshake rec- 
ognition procedure between the microprocessor 
card and a value dispensing section of the ter- 
minal, and Fig. 2b outlines the handshake se- 

55 quence; 

Fig. 3 illustrates the multiple levels of security 
provided by the system of Fig. 1; 
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Fig. 4 shows another embodiment of the postal 
transaction terminal of the invention which re- 
ceives a rate card for automatically computing 
postal amounts; 

Fig. 5 is a flow diagram of the operation of the 
terminal of Fig. 4; 

Fig. 6a shows the use of coded marks for au- 
thentication of a postmark printed by a postal 
transaction terminal, and Fig. 6b shows one ex- 
emplary form of authentication coding; 
Fig. 7 illustrates schematically a preferred em- 
bodiment of an automated waybill printing termi- 
nal and an optical scale using a microprocessor 
card and a special services card in accordance 
with the invention; 

Fig. 8 is a flow diagram of the operation of the 
terminal of Fig, 7; 

Fig. 9 illustrates a standard form of waybill and 
cursor prompts for filling in its information fields; 
Fig. 10 illustrates schematically a preferred em- 
bodiment of an automated refilling terminal us- 
ing a microprocessor card, a master card, and a 
supervisor card in accordance with the inven- 
tion; 

Fig. 1 1 is a flow diagram of the operation of the 
terminal of Fig. 10; and 

Fig. 12 shows the integrated system of micro- 
processor cards, memory cards, and terminals 
of the invention. 

DETAILED pES_C_R[PJlON_0_FJNVE_NTION 

In accordance with the basic principles of the 
invention, an automated transaction system em- 
ploys a microprocessor card in an automated trans- 
action terminal. Various types of microprocessor 
cards are available commercially, and the technol- 
ogy of manufacturing such cards and using them in 
terminal devices is well understood. As an exam- 
ple, Micro Card Technologies Inc. of Dallas, Texas, 
makes the Micro Card Mask M4 card which is a 
standard (ISO) size, similar to a credit card, having 
an 8-bit microprocessor, 8 contact pinout, 9600 bps 
asynchronous serial exchange protocol, 12.8 Kbits 
of Read-Only Memory (ROM), 288 bits of Random 
Access Memory (RAM), and 8 Kbits of Eras- 
able/Programmable ROM (EPROM). An array of 
electrical contacts provided in one section of the 
card connects with the corresponding contacts in 
the terminal to allow the card microprocessor to 
communicate data with the terminal. It is of course 
understood that other types of data communicating 
connections can be used, such as, for example, by 
magnetic induction. 

The conventional microprocessor card as used 
in the present invention operates by executing an 
internally stored program (firmware) which cannot 
be accessed from the outside. The firmware may 



be written in randomized form to secure it against 
tampering from the outside. An electrically prog- 
rammable (EPROM) memory portion associated 
with the microprocessor of the card is generally 

s divided into three zones: a secret zone which can 
only be accessed internally; a protected read/write 
zone which can only be accessed after a key 
number or PIN has been confirmed, and a free- 
reading zone. The card is used in a terminal for 

w performing desired functions in accordance with 
the rules, procedures, and data stored in or ex- 
ecuted by the card and the terminal. 

When conventional microprocessor cards are 
issued to individual users, a validation procedure is 

75 executed on a validating terminal. The procedure 
generally requires the issuer to enter the correct 
manufacturers' serial number of the card in order 
to confirm that the card is authorized. A PIN is then 
assigned to or selected by the cardholder and 

20 stored in the secret zone. Moreover, a secret key 
number unique to the issuer, which may be com- 
mon to a class or chronological series of cardhol- 
ders, may also be stored in the secret zone. In 
some card systems, the secret key is used as an 

25 argument of an encryption algorithm to send an 
encrypted word to the terminal for verification. If 
the word can be decoded by the terminal to derive 
the secret key, the card is presumed to be authen- 
tic. Upon completion of the validation procedure, 

so the card MPU irreversibly alters its program so that 
no further words can be written in the secret mem- 
ory zone. Thereafter, upon using the card, a user 
must enter the correct PIN in order to confirm that 
the card is being used by its authorized user. 

35 Conventional microprocessor cards also have the 
feature of temporarily or permanently locking the 
card from use if a succession of incorrect PIN 
entries on a terminal is detected. 

At the time of issuance, an amount in monetary 

4o or other units is validated for the card being issued. 
In conventional cards, the amount is permanently 
written in one of a plurality of transaction sectors in 
the protected memory zone. Each time the card is 
to be "filled" with a new amount, one of the sectors 

45 is unlocked and written with a new amount by the 
issuer. Thus, a limited authorized amount can be 
written each time, and the card is then refilled a 
number of times before its memory space is used 
up. This is a security feature to minimize monetary 

so \os$ in case the card is lost or stolen. The au- 
thorized amount is decremented with each transac- 
tion and a new balance is written until the balance 
is used up. Although any amount or balance can 
be written into the card's transaction memory, as a 

55 further security feature the card may prevent a 
balance being written which exceeds a predeter- 
mined limit or a previously written balance. 
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A card automated transaction system incor- 
porating the particular features of the invention will 
now be described. It should be understood that 
although particular embodiments are described, the 
invention is not limited to such embodiments, but 
encompasses all modifications and variations which 
use the principles of the invention. For purposes of 
this description, the transaction terminal is selected 
to be a postage metering terminal for printing a 
postmark on a label, envelope, or waybill for arti- 
cles to be mailed or shipped. However, it should be 
understood that the general principles of the inven- 
tion have broad applicability to any type of transac- 
tion terminal in which a microprocessor card may 
be used. For example, the terminal may also be a 
cash or article dispensing machine or a printer 
which prints validation marks, coupons, receipts, 
tickets, inventory documents, etc. 

PostageMetert ng_ Ter m i nal 

Referring to Fig, 1, a microprocessor card 10, 
as previously described, is adapted to be inserted 
in a card insertion slot 11 of an automated terminal 
device 20. The smartcard 10 has a contact section 
12 which has a number of contacts 13 connected 
to the pinout leads of an IC chip including a micro- 
processor unit (card MPU) 60 laminated beneath a 
protective layer of the card contact section 12. The 
contacts 13 are mated with corresponding contacts 
23 of a terminal contact section 22 upon insertion 
of the card 10 into the slot 11 in the direction 
indicated by arrow A. As the card is inserted, its 
leading edge abuts a part of the terminal contact 
section 22 which is moved in the same direction, 
indicated by arrow B, so as to merge in operative 
electrical contact with the card contact section 12. 
A trip switch 22a is provided at the base of slot 1 1 , 
and triggers a start signal to an operations micro- 
processor (terminal MPU) 30 when the card has 
been fully inserted in position in the slot. 

The card MPU 60 executes an internally stored 
(firmware) program to check whether a requested 
transaction is authorized and, prior to debiting the 
card account balance, to perform a secure hand- 
shake recognition procedure (described further be- 
low) with a microprocessor in the terminal. Al- 
though the handshake procedure can be performed 
with an operations microprocessor for the terminal, 
or one remote to the terminal, it is preferred in the 
invention that the procedure be performed with a 
secure microprocessor embedded in the actual val- 
ue dispensing section of the terminal. The value 
dispensing section is a separate element in the 
terminal, and its microprocessor is made physically 
secure, such as by embedding it in epoxy, so that 
any attempt to tamper with it would result in ren- 
dering the value dispensing section inoperative. For 



the postal transaction terminal of the invention, the 
microprocessor is embedded in the printer unit 
which prints the postmark. 

The terminal contacts 23 are connected with 

5 the functional parts of the terminal, including a 
Clock synchronizing connection 24 f a Reset con- 
nection 25, an operational voltage Vcc connection 
26, an Input/Output (I/O) port 27, an EPROM-writing 
voltage Vpp connection 28, and a ground connec- 

10 tion 29. The terminal MPU 30 controls the interface 
with the card and the operation of the various parts 
of the terminal, including a keyboard 31, a display 
32, such as an LCD, and a postmark printer 40, 
which is the value dispensing section of the termi- 

75 nal. A power source Vo is provided by a battery 
and/or an external AC or DC line to power the 
various parts of the terminal. 

The printer 40 has a microprocessor unit (print- 
er MPU) 41 which individually and uniquely con- 

20 trots the operation of a print head 42, such as an 
electrothermic or impact print head. The MPU 41 
executes an internal program (firmware), like the 
card microprocessor, so that it cannot be tampered 
with from the outside. The printer MPU's internal 

25 program includes unique encryption algorithms 
parallel to those stored in the card's microproces- 
sor, installed by the manufacturer, so that the print- 
er MPU can execute a secure handshake recogni- 
tion procedure with the card's microprocessor to 

30 authorize a requested transaction. The MPU 41 is 
also formed integrally with the print head 42, such 
as by embedding in epoxy or the like, so that it 
cannot be physically accessed without destroying 
the print head. Thus, according to the invention, the 

35 print head 42 of the postage metering terminal 20 
can only be operated through the MPU 41, and will 
print a postmark only when the handshake recogni- 
tion procedure and a postmark print command 
have been executed between the car6 MPU and 

40 the printer MPU 41. 

When a terminal is to be installed by the issuer 
in a location or distributed to a retail intermediary 
for field use, the issuer may also execute a valida- 
tion procedure for the terminal similar to that for 

45 the card. A secret key number may be written in 
the secret memory zone of the printer MPU 41, so 
that postage printing transactions can only be ex- 
ecuted with cards provided with the corresponding 
secret key number. Thus, cards validated by an- 

50 other issuer, even though obtained from the same 
manufacturer, will not be usable in the first-men- 
tioned issuer's machines. 

The terminal MPU may of course be used for 
the handshake recognition procedure. However, it 

55 is preferable to have the procedure executed by 
the part which is actually dispensing the article of 
value, and to leave the terminal MPU operable for 
general terminal operations. A machine ID number 
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(MIN) may also be assigned to the terminal so that 
it can be recorded in the transaction history main- 
tained on the card. As a further feature, the MIN for 
one or more of the issuer's terminals can be stored 
in cards which are to be used only in those termi- 
nals. Thus, in an automated terminal system pro- 
vided for one company, the terminals within the 
company can only be used with the cards issued 
to the employees of that company which have the 
company's secret key number and, optionally, the 
terminals within a department of the company may 
be configured to accept only cards provided with 
the MINs of that department's machines. 

The interactive operation of the card/terminal 
system will now be described. Upon inserting a 
card in slot 11, the trip switch 22a is triggered, and 
the terminal MPU 30 initiates an identification re- 
quest procedure to confirm that the card is being 
used by an authorized user. For example, the ter- 
minal MPU may cause a prompt to appear on the 
display 32 requesting that the user enter a PIN. 
The number entered by the user is sent by the 
terminal MPU to the card MPU where it is checked 
against the PIN number(s) stored in the secret 
zone of the card's memory. If the number matches, 
the card MPU notifies the terminal MPU 30 to 
proceed. If the card is restricted for use only in 
particular machines, the card may request the ter- 
minal's MIN and check it against a stored list of 
authorized terminal numbers. If the terminal is re- 
stricted for use only with certain cards, the terminal 
may check the PIN or a card identification or 
account numbers against a stored list of authorized 
card numbers. As another security feature, the card 
program may check the number of incorrect PIN 
entries attempted or a card expiration date written 
in memory at the time of issuance. If the incorrect 
PIN entries exceeds a predetermined number, or if 
the current date indicated from the terminal MPU 
30 is past the expiration date, the card MPU 60 can 
lock the card against further use until the user has 
had it revalidated by the issuer. 

If the initial confirmation procedures are 
passed, the terminal MPU 30 next prompts the 
user to enter information for a postage transaction. 
The user inputs on keypad 31 the amount of post- 
age requested and, as a further option, the zip 
code of the sender's location and the date. As the 
information is supplied in sequence, i.e. "Amount", 
"Zip", and "Date", it is displayed on display 32 for 
confirmation. Alternatively, the date may be main- 
tained by the terminal MPU 30, and displayed for 
user confirmation. When all the correct information 
has been entered, an edge of an envelope 51 to be 
mailed, or a label or mailing form to be attached to 
an item to be mailed, is inserted in a slot 50 on 
one side of the postage metering terminal 20. The 
movement of the label or envelope may be con- 



trolled to bring it in registration with the print head, 
as provided in conventional metering machines. 
The user then presses the "Print" key to initiate a 
postage printing transaction. 

5 

Handshake Recognition Procedure 

A basic principle of the invention is that the 
actual execution of a value-exchanging transaction 
70 is securely controlled by a mutual handshake rec- 
ognition procedure between a secure microproces- 
sor maintaining the card account balance and a 
secure microprocessor controlling the value dis- 
pensing operation. The card's MPU must recognize 
75 the value dispensing section's microprocessor as 
valid, and vice versa, in order to execute a transac- 
tion. The card and the value dispensing section 
therefore can each remain autonomous and pro- 
tected against counterfeiting or fraudulent use even 
20 if the security of the other has been breached. 
Since they are autonomous, the cards and termi- 
nals can be distributed widely with a low risk of 
breach of the system and without the need for 
strict access controls. It thus has significant cost 
25 and security advantages over conventional card 
automated transaction systems. 

A two-way encrypted handshake embodiment 
will now be described. However, it should be un- 
derstood that the invention is intended to encom- 
30 pass any mutual handshake procedure by which 
the card and dispensing microprocessors can rec- 
ognize the other as authorized to execute a re- 
quested transaction. In the preferred postage termi- 
nal embodiment, the handshake procedure is ex- 
35 ecuted between the card MPU 60 and the printer 
MPU 41. As illustrated schematically in Fig. 2a, 
when the "Print" key signal is received by the 
terminal MPU 30, the latter opens a channel 61 of 
communication between the card MPU 60 and the 
40 printer MPU 41. A "commence" signal and the 
amount of the requested transaction, i.e. postage, 
is then sent from the terminal MPU 30 to the card 
MPU 60, and a similar "commence" signal to the 
printer MPU 41, in order to prepare the way for the 
45 handshake procedure. 

Referring to Fig. 2b, the card MPU 60 initiates 
the handshake procedure upon receipt of the 
"commence" signal by first verifying if the re- 
quested amount is available for the transaction. As 
so an advantageous feature of the invention, the card 
MPU 60 checks the available balance of the card 
and (if implemented in the card's program) whether 
the requested transaction is within any limits speci- 
fied by the card issuer. For example, use of the 
55 card can be limited to a maximum postage amount 
and/or class of postage for each transaction or a 
cumulative total of transactions. Upon verifying that 
the requested transaction is authorized, the card 
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MPU 60 encrypts an object number N, which may 
be a randomly generated number, with a key num- 
ber k1 (which may be the user's PIN) stored in the 
secret zone of its memory by a first encryption 
algorithm E1 and sends the resultant word W1 
through the handshake channel 61 of terminal MPU 
30 to the printer MPU 41. 

Upon receipt of the word W1 , the printer MPU 
41 decodes the number using the same number k1 
by the inverse algorithm E1\ The number k1 may 
be a secret key number stored in the printer MPU's 
memory at the time of validation, or in an open 
system, it may be the PIN entered by the user on 
the terminal, or a combination of both. The printer 
MPU 41 then encrypts the decoded number with 
the number k1 by a second encryption algorithm 
E2 to send a second word W2 back to the card 
MPU 60. 

Upon receipt of the word W2, the card MPU 60 
decodes the number again using the key number 
k1 by the inverse of the second algorithm E2\ and 
compares the decoded number with the number it 
used in the first transmission. If the numbers 
match, the handshake procedure has been suc- 
cessfully completed, and the card and printer 
MPUs have recognized each other as authorized to 
execute the requested transaction. The card MPU 
then debits the postage amount from the card 
balance, and then sends a print command and the 
postage amount to the printer MPU. The printer 
MPU prints the postage on envelope 51, in 
cooperation with the terminal MPU 30 whic controls 
the movement of the envelope under the print 
head. The printer MPU then sends an "end" signal 
to the terminal MPU 30, which accordingly switch- 
es off the handshake channel 61 and resets itself to 
receive the next transaction request. 

In the preferred embodiment, the card MPU 60 
stores only the amount of the transaction in its 
transaction record, and does not store the new 
balance. Instead, the balance is recomputed from 
the original authorized amount and the stored his- 
tory of transaction debits at the time a transaction 
is requested. This procedure substitutes the MPU's 
computing power to save a significant amount of 
card EPROM memory space. 

The card automated transaction system of the 
invention is provided with high security at a plural- 
ity of levels, which is particularly advantageous for 
off-line transactions involving large numbers of is- 
sued cards and widely distributed terminal devices. 
As depicted in Fig. 3, the encryption algorithms are 
provided at the first security level I by the manu- 
facturer, the secret key, PIN, and/or MIN are pro- 
vided at security level II by the issuer, the PIN is 
used at security level III by a particular user, and 
the MIN and/or secret key may be used at security 
level IV to operate a particular machine(s). 



At level I, the print head of the terminal is only 
operable to dispense value, i.e. print postage, if the 
encryption algorithms provided by the manufac- 
turer match those of the card, thereby protecting 

5 against counterfeit cards and terminals. Even if the 
security of the manufacturer has been penetrated, 
and the encryption algorithms have been obtained 
by a counterfeiter, the secret key may be assigned 
at level fl by the issuer and used in the handshake 

10 procedure, thereby deterring the use of counterfeit 
cards and terminals which do not have the secret 
key, At security level III, a card can only be used to 
operate a terminal if the correct PIN is known, and 
if initial confirmation procedures are passed. At 

75 security level IV, a card can only be used in a 
particular terminal identified by the correct MIN. 

A related embodiment of the invention is illus- 
trated in Fig. 4 which employs a second card 
having postal rate data stored in memory to com- 

20 pute the correct postage automatically. A terminal 
20, similar to the one previously described, in- 
cludes a second slot 91 for a "rate" card 90. The 
terminal has a slot 50 in which a postal label or 
envelope 51 is inserted for imprinting by the printer 

25 40. For a parcel 52, the label 51 is printed then 
affixed to the parcel for mailing. A scale 53 may be 
connected to the terminal and MPU 30 to provide 
the weight of the envelope or parcel 52. 

The rate card has a memory device 92, prefer- 

30 ably an IC ROM, which is accessed and read by 
the terminal MPU 30 through contact portion 93 
mated in contact with the pinout terminals of the 
memory device. Switches 22a and 92a provide 
signals when the user and rate cards have been 

35 inserted in the respective slots. Insertion of the 
user card initiates operation of the terminal, if a 
rate card is not inserted, the terminal MPU 30 can 
instead request the appropriate postal amount from 
the user by a prompt on the display 32. The 

40 terminal MPU may also have a mode for reading 
postal rates from the rate card. 

The program operation of the postage metering 
terminal 20 is illustrated in block diagram form in 
Fig. 5. Upon insertion of the user card 10 in slot 

45 11, the user confirmation procedures previously 
described are carried out between the terminal 
MPU 30 and card MPU 60. If an unauthorized card 
or user is detected, the card is locked and the 
terminal operations are terminated. If a valid user 

50 card is confirmed, the terminal program then 
checks if a rate card 90 is inserted and whether it 
is valid. Validity can be determined by the issue 
number of the card or by an indicated expiration 
date. If there is no rate card, the terminal MPU 

55 requests the user to Input the desired postage and 
goes to the print key decision block 97. If a valid 
rate card is present, the terminal program requests 
the codes for the source and destination of the 



8 



15 



EP 0 619 564 A1 



16 



item and the class of mail desired. The program 
then checks for a signal from the scale 53 indicat- 
ing the weight of the item. If no scale is connected 
or weight indicated, the program requests the user 
to input the information. 

The rate card memory contains a current listing 
of the rates for a particular carrier divided accord- 
ing to zone classifications, weight, and/or type of 
mail. For the U.S. Postal Service, the postage 
amount is calculated based upon the Postal Ser- 
vice, the postage amount is calculated based upon 
the origin and destination zip codes, class of mail, 
and weight by looking up tables stored in the rate 
card memory 92. If the "Print Key" is depressed, 
the terminal program then sends the "commence" 
signal to the card MPU and printer MPU to execute 
the handshake procedure and debiting and printing 
operations as previously described. If an "Auto" 
mode key of the terminal has been pressed or the 
user elects to continue in response to a prompt, 
the terminal program returns to the beginning of 
the transaction loop indicated at block 94. The 
"Auto" mode may be used in conjunction with an 
automatic feeder for postmarking a series of en- 
velopes or labels. The terminal operation is termi- 
nated if the transaction loop is not continued, or if 
the handshake procedure is not completed. 

Postmark Authentication 

In accordance with the principles of the inven- 
tion as applied to postage metering terminals, a 
postmark authenticating procedure will now be de- 
scribed. The procedure is provided as a security 
feature to deter the printing of a counterfeit post- 
mark by a printer, copier, o other facsimile device 
which is not authorized by the issuer of the above- 
described card/terminal system. Conventional high 
resolution printers and graphics capabilities of per- 
sonal computers present an increasing risk that 
value-confirming marks, such as a postmark, ticket, 
coupon, etc. can be simulated by a counterfeiter. In 
the invention, an underlying and/or invisible ma- 
chine readable code is printed first and then over- 
printed with the human readable postmark. The 
code can be uniquely selected by the issuer of the 
postage card/terminal system, and periodically 
changed to eliminate any benefit from gaining un- 
authorized access to the code. Further, the code 
can be printed with ink that is invisible in the 
normal light spectrum, so that it is readable only 
with a magnetic, infrared, or ultraviolet reader. 

Referring to an example shown in Figs. 6a and 
6b, a conventional imprinted postmark has a logo 
or graphic design 70, text 71 indicating that the 
postage is issued through the U.S. Postal Service, 
numbers 72 indicating the postage amount, as well 
as the date 73, city 74, state 75, and zip code 76 



of origin, and the identification number 77 of the 
postage meter from which the postmark was print- 
ed. In the invention, coded marks 78 are printed 
beneath the visible postmark in a predetermined 
5 code field 79 in invisible, machine readable ink. 
The algorithm for the coded marks is selected by 
the issuer, for example, representing the binary 
equivalent of the postage amount, i.e. "90" cents in 
Fig. 6a, shown in binary form in Fig. 6b. The coded 
w marks can represent any other element of the 
postmark, such as the meter identification number 
or zip code. Alternatively, a bar code 83 can be 
printed with a postmark information section 83a 
and a check code section 83b, which is encrypted 
75 based upon one of the postmark elements. The 
postmark element and/or the encryption algorithm 
can be uniquely selected by the issuer. Even if the 
coded marks are printed in visible form, the en- 
cryption of a variable postmark element, such as 
20 the sender's zip code, date, or postage amount, 
will make copying difficult. 

The printing of the postmark and authentication 
code can readily be incorporated in the 
card/terminal system illustrated in Fig. 1. The print- 
25 er 42 is provided with a memory 43 to which data 
representing the visible information of the postmark 
and the computed binary or other selected check 
code or converted bar code is transmitted from the 
terminal MPU 30 and stored. The fixed graphics of 
30 the postmark may be stored in a memory as- 
socated with the MPU 30, which is preferable if the 
same terminal has the capability of printing a vari- 
ety of postmark graphics for different carriers 
and/or classes of service, or it may be permanently 
35 stored in a section of the printer memory 43, The 
fixed graphics may instead be stored in the card's 
memory and loaded by terminal MPU 30 in the 
printer memory 43 for a requested transaction. 
Alternatively, the fixed graphics may be provided 
40 on a platen which operates with the print head if 
only one type of postmark is to be printed. 

In the preferred form, the print head 42 is an 
impact printer which has two ink ribbons 42a and 
42b, one of invisible, machine readable ink and the 
45 other of visible ink. When the handshake procedure 
has been completed, and the print command is- 
sued by the card MPU 60, the printer MPU 41 
accesses the data stored in the memory 43 and, in 
a first pass, prints the coded marks in invisible ink 
50 then, in a second pass, prints the visible postmark 
information. 

As indicated in fig. 6a, when mail or other 
articles are subsequently presented to a central 
mail routing and distribution system, such as that 
55 of the U.S. Postal Service or a private carrier, the 
postmark may be passed under a detector 80 
which has a visible light spectrum reader 81 and a 
code reader 82, such as a magnetic, infrared, or 
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ultraviolet reader, or a bar code reader 83 for bar 
code marks. If the code marks are absent or if the 
check code does not correspond to the element of 
the postmark selected for coding, an audit record 
can be made of the non-conformity, for example, 
by recording the meter identification number, date, 
and zip code of origin. An investigation of the 
source of the unauthorized postage can then be 
initiated if numerous articles are found bearing un- 
authorized postmarks. The postmark authentication 
marks of the invention thus provide an additional 
level of security against counterfeiting which is not 
offered in conventional postal metering machines. 

Postal_Way bi M Terminal 

A further embodiment of the invention is illus- 
trated in Fig. 7 which is adapted for printing stan- 
dard form waybills for mailing articles using a wide 
range of postal or private carrier services. A termi- 
nal 20* includes a slot 11 for a user card 10, a 
terminal MPU 30, a printer 40 and printer MPU 41 , 
a keyboard 31', and a display 32*, as previously 
described with respect to Fig, 1 . The terminal also 
includes a second slot 91 for a "rate" card 90 and 
a third slot 101 for a "special services" card 100. 
The terminal has a slot 50 in which a standard 
waybill form 51 1 is inserted for imprinting by the 
printer 40. The waybill 51 1 is then affixed to an 
envelope or parcel 52 for mailing. A scale 53 can 
be connected to the terminal and MPU 30 to auto- 
matically provide the weight of the parcel 52. 

The rate and special services card have mem- 
ory devices 92 and 102, respectively, which are 
preferably IC ROMs that are accessed and read by 
the terminal MPU 30 through contact portions 93 
and 103, respectively, mated in contact with the 
pinout terminals of the memory devices. Switches 
72a, 92a, and 102a provide detection signals when 
the cards have been inserted in the respective 
slots. A display 32' provides a full field correspond- 
ing to the appearance of the waybill form, and the 
keyboard 31' includes a full set of alphanumeric 
characters and command keys. 

The rate card memory contains a current listing 
of the rates for a particular carrier. For example, if 
the carrier is the U.S. Postal Services, the Post 
Office rates are listed according to zone classifica- 
tions, weight, and class of mail. The special ser- 
vices card memory contains a program for filling 
out a standard waybill form in accordance with the 
information required by and with indicia identifying 
the mailing services of a particular carrier. For 
example, if the carrier is the U.S. Postal Service, 
the special services card can provide the programs 
for printing waybills for Express Mail, Certified Mail, 
Registered Mail, Insured Mail, etc. 



The program operation of the postal waybill 
terminal 20' is illustrated in block diagram form in 
Fig. 8, and a sample waybill form is shown in Fig. 
9. Upon insertion of the user card 10 in slot 11, the 
5 user confirmation procedures previously described 
are carried out between the terminal MPU 30 and 
card MPU 60. If an unauthorized card or user is 
detected, the card is locked and the terminal oper- 
ations are terminated. With a valid user card, the 
w terminal program then checks if a rate card 90 
and/or a special services card 100 is inserted and 
whether each is valid. Validity can be determined 
by the issue number of the card or by an indicated 
expiration date. If there is no rate card or special 
15 services card, the terminal MPU requests the user 
to input the desired postage and goes to the print 
key decision block 121. The terminal is then used 
to print a postmark or postage label as described 
previously. If a valid services card is present, the 
20 terminal program displays a menu of mailing or 
carrier services from the services card and re- 
quests the user to select a service. 

The terminal MPU 30 loads the selected ser- 
vice program from the service card and executes it, 
25 as indicated at block 118. For typical carrier ser- 
vices, the service program displays a standard 
carrier waybill form used by the selected carrier. 
For example, if the U.S. Postal Service Express 
Mail service is selected, the form shown in Fig. 9 is 
30 displayed. The form includes a carrier identification 
field 130, service class field 131, and pointers on 
the display for inserting information in fields 132- 
137 and 140-146. A waybill identification number in 
bar code 138 and characters 139 is selected for 
35 the transaction and displayed. Preferably, the ser- 
vices card has a list of reserved waybill numbers 
which are sequentially incremented for each com- 
pleted transaction. If a transaction is not completed, 
the number is saved for the next transaction. As 
40 described previously, the bar code can include a 
section which is an encryption of one element of 
the waybill information, so that the authenticity of 
the form can be verified by machine processing of 
the waybill. 

45 The services program as executed by the ter- 

minal MPU 30 next uses cursor prompts to request 
the user to provide information for certain fields, 
such as the zip codes or origin and destination 132 
and 133, and the addresses of the sender and 

so recipient 140 and 141. As the user supplies each 
item of information and presses an "Enter" key, the 
program causes the cursor to shift to the next field 
of information to be supplied, as indicated by the 
arrows C in Fig. 9. The date and time fields 134 

55 and 135 may be requested from the user or sup- 
plied from the terminal if it is provided with a clock 
and calendar. The weight 136 may be provided 
from the output of the scale 53, if connected to the 
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terminal, or supplied by the user. The meter iden- 
tification number (MIN) is supplied by the terminal 
for field 137. 

Based upon the origin and destination zip 
codes and weight, the postal amount, other service 
charges, and total maount 144-146 are calculated 
and displayed under program control using the rate 
card if appropriate. The total transaction amount is 
saved. If the "Print" key is depressed, the terminal 
program then sends the "commence" signal to the 
card MPU and printer MPU to execute the hand- 
shake procedure and debiting and printing oper- 
ations as previously described. If an "Auto" mode 
key of the terminal is depressed or the user elects 
to continue in response to a prompt, the terminal 
program returns to the beginning of the transaction 
loop indicated at block 113. The terminal operation 
is terminated if the transaction loop is not contin- 
ued, or if the handshake procedure is not com- 
pleted. 

The terminal can be used to program and print 
the waybills of other selected carriers or services 
by insertion of the proper user, rate and/or service 
cards. For convenience of the automated terminal 
system, it is desirable if all postal and waybill 
forms can be standardized to one or a limited 
number of form blanks. 

RejilHngTemmnal 

Another embodiment of the invention is the 
provision of a user card refilling terminal which 
may be maintained at any desired postal retail or 
distribution location for the convenience of the is- 
suer of the cards and users. A new amount can be 
"filled", i.e. credited to an authorized balance main- 
tained in the user card, and a master refilling card 
having a greater amount for distribution is cor- 
respondingly debited. In accordance with the prin- 
ciples of the invention, the secure handshake rec- 
ognition procedure is executed before the transac- 
tion is authorized. The refilling terminal can also be 
used to validate new cards to be issued. 

An exemplary embodiment of the refilling ter- 
minal is shown in Fig. 10, having a first slot 161 for 
a master refilling card 160, a second slot 171 for a 
supervisor card 170, a third slot 174 for a user card 
10, a terminal microprocessor 30", a keyboard 31", 
and a display 32". Each card is of the type de- 
scribed previously, with secure microprocessors 
(MPU) 162, 172, and 60, respectively, in contact 
with respective terminal contacts 163, 173, and 
175. Switches 162a, 172a, and 176 provide detec- 
tion signals when the cards are inserted in their 
respective slots. The operation of terminal MPU 
30" is enabled after insertion of a master card 160 
and a supervisor card 170. 



A master refilling card is initially purchased 
from a central issuer, such as the U.S. Postal 
Service, an authorized distributor for the central 
issuer, or a private carrier company. It is generally 
5 intended to be purchased by a local refilling entity 
which provides service to individual users, such as 
a bank branch, retail store, or corporate depart- 
ment. In the preferred embodiment, it is manufac- 
tured in a fixed denomination and remains locked 
w until it is activated by a supervisor card of the 
central issuer. The encryption algorithms used for 
the handshake procedure are already written into 
its MPU firmware, and is enabled to execute the 
handshake procedure when the secret key number 
75 is installed by a supervisor card during the activa- 
tion procedure. Once activated, the master card 
balance is debited for refilling transactions until it is 
used up. A history of all debiting transactions is 
maintained in the master card. 
20 A supervisor card is provided by the central 

issuer in the custody of an officer or manager of 
the local refilling entity and a supervisor PIN is 
assigned. The supervisor card is used to unlock all 
master cards sold to the refilling entity and to 
25 maintain a record of the serial numbers of the 
master cards for subsequent card confirmation pro- 
cedures. It is used to authorize crediting transac- 
tions to user cards, and maintains a transaction 
record of all refilling operations and the identity of 
30 the recipient user cards. The supervisor card is 
manufactured with the handshake encryption al- 
gorithms in firmware, and may be provided by the 
central issuer with a secret key number to be 
installed in the master and user cards. The master 
35 and supervisor cards together allow user cards to 
be conveniently refilled at widely distributed local 
entities without the need for on-line confirmation of 
each refilling transaction from the central issuer. 
Alternatively, the user card can be refilled by the 
40 master card alone, with the handshake procedure 
executed between the user card's MPU and te 
master card's MPU. However, the use of a control- 
ling supervisor card is preferred as an additional 
level o security to deter counterfeiting or fraudulent 
45 use of the higher value master cards. 

The operation of the refilling terminal will now 
be described for the preferred three-card embodi- 
ment with reference to the block diagram of Fig. 
11. Upon initiation of the terminal program, the 
50 master card is checked at block 180 to determine if 
it is already activated. If not, the terminal follows an 
activation procedure at block 181 of confirming the 
supervisor P!N, checking the master card serial 
number, installing a secret key number in the mas- 
55 ter card, executing the handshake procedure, then 
unlocking the master card's balance, and recording 
the master card's serial number, balance, date, and 
other transaction information. 
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If, the master card has already been activated, 
the supervisor card checks the master card serial 
number against its record of authorized master 
cards. If the master card is unauthorized, the termi- 
nal program goes to an end procedure at block 
197. With an authorized master card, the terminal 
program checks if the user card inserted in the 
terminal is new or to be refilled. For a new user 
card, the refilling terminal executes at blocks 190- 
193 a validation procedure which includes checking 
the designated card serial number with the number 
embedded in its memory, recording the user's 
identification information, and assigning a user PIN. 
At block 192, the terminal prompts the operator for 
any limitations on the amounts or type of transac- 
tions the card can be used for, the identification 
numbers of the terminals to which the card is 
restricted, or an expiration date if required by the 
issuer. The validation procedure is completed by 
installing the secret key number and sealing the 
secret memory zone. 

If the user card is to be refilled, the user PIN is 
confirmed, and then the card is checked for any 
balance to be credited toward the new amount or 
to the user's account. The old memory section is 
then locked from further transactions, and can only 
be used for reading out a transaction history. Upon 
a request for a new amount, either for a new card 
that has been validated or for a card to be refilled, 
the terminal MPU 30" opens a handshake channel, 
and the handshake procedure previously described 
is executed between the master MPU 162 and the 
supervisor MPU 172. When the handshake proce- 
dure is completed, the master balance is debited 
and the supervisor card proceeds to open a new 
transaction memory section in the user card into 
which the new balance is written. The program 
then provides at block 197 an end selection of 
further operations which may be carried out on the 
refilling terminal. For example, another refilling 
transaction may be processed, the supervisor card 
record may be updated, the newly validated user 
or master card may be embossed with a serial 
number or account number if the terminal is con- 
nected to an embossing machine, or operations 
may be terminated. 

The described refilling system is protected at 
several levels of security. First, a supervisor card is 
required, and the user card must be validated by 
the user PIN. The master card must be validated 
by the supervisor card and must execute the hand- 
shake procedure before the user card is credited 
with a new amount. The card/terminal system has 
the primary advantage that the debiting of the card 
balance is executed in the same time frame that 
the value dispensing operation is carried out, and 
the exchange can only be carried out for each 
transaction if the mutual handshake recognition 



procedure is executed between the secure micro- 
processors controlling each part. Also, the central 
issuer purchases the card/terminal system from the 
manufacturer with a given set of encryption al- 
s gorithms, and then selects a unique secret key not 
known to the manufacturer. Thus, penetration of the 
manufacturer's security will not compromise the 
security of the issuer's system. By issuing cards 
with defined expiration dates or series numbers 
70 and changing the secret keys periodically, an is- 
suer system can be made even more impenetrable 
to counterfeiters. 

The user's card is not merely a passive record 
of an account number and balance, but rather 
75 operates to affirmatively protect against unauthoriz- 
ed use of the card, for example, if a succession of 
incorrect PIN entries is made, if the card is used 
beyond its expiration date or in an unauthorized 
machine, or if a requested transaction is in excess 
20 of predetermined limits. Similarly, the value dis- 
pensing part of the terminal is protected against 
tampering by the physical bonding of the printer 
microprocessor to the print head. 

Moreover, since the postal and refilling transac- 
25 tions are executed with cards issued by a central 
issuer take place only within the issuer's system, 
they are protected from counterfeit cards or cards 
issued by another system. One issuer's system 
thus remains closed to all other issuers systems, 
30 and several systems can use the same terminals 
without interference from the other. For example, 
the U.S. Postal Service and several private carriers 
can each constitute a separate issuer system is- 
suing its own cards. A user can purchase a card 
35 from each system and use the proper card in any 
terminal maintained at a local entity (branch post 
office, bank branch, local retail store) to generate 
authorized postage or a waybill for use in the 
corresponding system. Thus, users will have the 
40 benefit of secure and convenient access to a wide 
range of postal and carrier services. 

In the invention, the microprocessor cards 
(user, master, and supervisor), memory cards (rate 
and special services), and terminals (metering, 
45 waybill printing, and refilling) comprise an inte- 
grated postal transaction system which provides a 
greatly improved level of access, convenience, and 
security, compared to conventional postal ma- 
chines. The overall system is illustrated in Fig. 12. 
so It allows widely issued user cards to be used in 
widely distributed postage metering and waybill 
printing terminals, with the appropriate rate and/or 
services cards, to access a plurality of postal and 
carrier services. The refilling terminals allows a 
55 central issuer to distribute postal monetary value to 
users at widely distributed locations. Strict physical 
access controls are not required, the need to limit 
the postal amounts and services obtainable by 
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issued cards is reduced, in-person purchase trans- 
actions are avoided, and on-line confirmation by a 
central account office is obviated. The cards and 
terminals are cvonfigured to be autonomous, yet 
mutual recognition and confirmation of validity and 
transaction amounts are required, thereby providing 
a high level of security for the system. 

Further, the invention is not limited to the de- 
scribed automated postal terminals, The principles 
of the invention can be adapted to any other value 
exchanging transaction where it is desired to use 
an account card in an off-line automated terminal 
system. Thus, the described smartcards and value 
dispensing terminals can also be used for dispens- 
ing cash, printing tickets, issuing coupons, etc., and 
the user can possess a variety of cards each 
issued by a central issuer for the convenient pur- 
chase of different articles of value. Also, by im- 
plementing smartcard and terminal MPU programs 
which check for authorized machine identification 
numbers and card serial numbers, or execute the 
handshake procedure with different algorithms 
and/or secret keys, an issuer's system can be 
configured so that the issuer's cards and terminals 
may be made open or restricted to certain families, 
series or locations.. 

The invention also encompasses other features 
which are useful adjuncts to the central concepts 
described above. For example, a transaction his- 
tory printer may be provided from which a user can 
print a record of transactions stored in the smar- 
tcard upon entry of the correct PIN. The various 
cards can be provided with notches on a border or 
coded key elements to prevent insertion of the 
wrong card in an incorrect terminal slot or in a 
terminal of another issuer system. Also, the inven- 
tion can be adapted for on-line transaction sys- 
tems. For example, the terminal MPU can be con- 
nected by a telephone line or local network to a 
central processing office for approval of a transac- 
tion prior to execution of the transaction. On-line 
confirmation may be desired for initialization and 
refilling transactions which are less frequent and of 
higher value than purchase transactions. As an- 
other security feature, the card or series of cards 
may be issued with encryption algorithms and/or 
secret key numbers which are changed periodi- 
cally, and the encryption algorithms and secret 
keys corresponding to cards presented for a trans- 
action can be loaded in the terminal at the time the 
terminal MPU establishes an on-line connection to 
the central office. 

Based upon the foregoing disclosure, many 
other peripheral features and modifications and 
variations on the principles of the invention will 
become apparent to persons familiar with auto- 
mated terminals and smartcard systems. It is in- 
tended that the embodiments and features de- 



scribed herein and all further features, modifica- 
tions, and variations be included within the allowed 
scope of the invention, as it is defined in the 
appended claims. 

5 

Claims 

1. An automated transaction system comprising a 
transaction terminal (20) having a receiving slot 

w for insertion of a portable user card (1 0) there- 

in, and a plurality of user cards issued to 
different users, each user card having a micro- 
processor (60) and a memory incorporated 
therein for performing value transactions 

is through the terminal and maintaining a history 

of value transactions and user account balance 
therein, and a data output device (175) con- 
nected to the microprocessor of the user card, 
characterized in that: 

20 a plurality of master cards (160) are issued 

for refilling user account balances of user 
cards (10) via refilling transaction terminals 
(20"), each master card (160) having a micro- 
processor (162) and a memory incorporated 

25 therein for maintaining a history of refilling 

transactions and a master account balance 
therein, and a data output device (163) con- 
nected to the microprocessor of the master 
card; 

30 a plurality of refilling transaction terminals 

are provided, each refilling transaction terminal 
having a first receiving slot (174) for receiving 
a user card inserted therein and establishing a 
connection with the user card data output de- 

35 vice, a second receiving slot (161) for receiving 

a master card inserted therein and establishing 
a connection with the master card data output 
device, an operating section for performing a 
set of desired terminal functions, and a first 

40 data path for connecting the user card micro- 

processor of a user card inserted in the first 
receiving slot with the master card micropro- 
cessor of a master card inserted in the second 
receiving slot of the terminal; 

45 the user cards and master cards each 

having a mutual stored program for executing 
a refilling transaction between a user card and 
a master card inserted in the refilling terminal 
wherein account value from the account bal- 

50 ance maintained in the master card is debited 

and the account balance of the user card is 
correspondingly credited; and 

a transaction history recorder (31") capa- 
ble of receiving a user card or a master card 

55 therein and producing a transaction history 

record of the account transactions stored in the 
card. 
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2. An automated transaction system according to 
Claim 1, wherein the transaction history record 
produced by the transaction history recorder is 
a record of value transactions and refilling 
transactions executed with a user card. 5 

3. An automated transaction system according to 
Claim 1 , wherein the transaction history record 
produced by the transaction history recorder is 

a record of refilling transactions executed by a 10 
master card with a series of user cards. 

4. An automated transaction system according to 
Claim 1 , wherein a master card is assigned to 

a respective one of the plurality of refilling 15 
terminals and is used to maintain a history of 
refilling transactions executed between the 
master card and a series of user cards through 
the assigned refilling terminal. 

20 

5. An automated transaction system according to 
Claim 4, further characterized in that: 

a supervisor card (170) is provided having 
a microprocessor (172) and a memory incor- 
porated therein, and a data output device con- 25 
nected to the microprocessor; 

each refilling terminal has a third receiving 
slot (171) for insertion of a supervisor card 
(170) therein and a second data path for con- 
necting the master card microprocessor (162) 30 
of a master card (160) inserted in the second 
receiving slot (161) with the supervisor card 
microprocessor (172) of the supervisor card 
inserted in the third receiving slot of the termi- 
nal; and 35 

the supervisor card microprocessor (172) 
and memory includes a stored program for 
communicating with the master card micropro- 
cessor (162) to authorize the master card to 
execute refilling transactions with user cards 40 
through an assigned refilling terminal (20"). 

6. An automated transaction system according to 
Claim 1 , wherein each user card microproces- 
sor (60) stores records of a series of executed 45 
value transactions in the associated memory, 

and a current account balance for the user 
card is computed from the stored value trans- 
action records. 
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